Reuben Paul showed how a teddy bear which can connect to the cloud can be hacked.
Photograph: Lenora Gim/Getty Images

An 11-year-old “cyber ninja” has stunned an audience of security experts by hacking into their Bluetooth devices to manipulate a robotic teddy bear, showing in the process how interconnected smart toys “can be weaponised”.

Reuben Paul, who is in sixth grade at school in Austin, Texas, and his teddy bear Bob wowed hundreds at a cyber-security conference in the Netherlands.

WannaCry ransomware has links to North Korea, cybersecurity experts say

Read more

“From airplanes to automobiles, from smartphones to smart homes, anything or any toy can be part of the Internet of Things (IOT),” said the small figure pacing the huge stage at the World Forum in The Hague.

“From terminators to teddy bears, anything or any toy can be weaponised.”

To demonstrate he deployed his cuddly bear, which connects to the cloud via wifi and Bluetooth to receive and transmit messages.

Plugging into his laptop a device known as a “Raspberry Pi” – a small credit-card size computer – Reuben scanned the hall for available Bluetooth devices, and to everyone’s amazement including his own, suddenly downloaded dozens of numbers, including some of top officials.

Then using a computer language called Python he hacked into his bear via one of the numbers to turn on one of its lights and record a message from the audience.

“Most internet-connected things have a Bluetooth functionality ... I basically showed how I could connect to it, and send commands to it, by recording audio and playing the light,” he told AFP later.

“IOT home appliances, things that can be used in our everyday lives, our cars, lights refrigerators, everything like this that is connected can be used and weaponised to spy on us or harm us.”

They could be used to steal private information such as passwords, as remote surveillance to spy on kids, or employ GPS to find out where a person is, he said. More chillingly, a toy could say “meet me at this location and I will pick you up”, Reuben said.

His father, information technology expert Mano Paul, told how aged about six Reuben had revealed early IT skills.

Using a simple explanation from dad on how one smartphone game worked, Reuben then figured out it was the same kind of algorithm behind the popular video game Angry Birds.

“He has always surprised us. Every moment when we teach him something he’s usually the one who ends up teaching us,” Mano Paul told AFP.

But Paul said he been “shocked” by the vulnerabilities discovered in kids’ toys, after Reuben first hacked a toy car, before moving on to more complicated things.

“It means that my kids are playing with timebombs, that over time somebody who is bad or malicious can exploit.”

Now the family has helped Reuben, who is also the youngest American to have become a Shaolin Kung Fu black belt, to set up his CyberShaolin non-profit organisation.

Its aim is “to inform kids and adults about the dangers of cyber-insecurity”, Reuben said, adding he also wants to press home the message that manufacturers, security researchers and the government have to work together.

Reuben also has ambitious plans for the future, aiming to study cyber-security at either CalTech or MIT universities and then use his skills for good.